As awareness of cybersecurity risk increases, entities (e.g., organizations, companies, etc.) look to understand their exposure to security threats and, in some cases, seek guidance on the types of protective measures that can be taken to minimize their exposure. Some entities seek to understand how they compare with peer entities in terms of threat exposure and the measures that their peer entities are undertaking to protect themselves. However, due to the substantial variation in entity features, operating procedures, historical records, and security resources among entities, it is difficult to directly or efficiently compare one entity to another entity in the context of cybersecurity risk.